SHARE
TWEET

devilsoulblack

a guest Apr 10th, 2008 240 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # Exim filter
  2. ## Version: 0.17
  3. #       $Id: system_filter.exim,v 1.11 2001/09/19 11:27:56 nigel Exp $
  4.  
  5. ## Exim system filter to refuse potentially harmful payloads in
  6. ## mail messages
  7. ## (c) 2000-2001 Nigel Metheringham <nigel@exim.org>
  8. ##
  9. ##     This program is free software; you can redistribute it and/or modify
  10. ##    it under the terms of the GNU General Public License as published by
  11. ##    the Free Software Foundation; either version 2 of the License, or
  12. ##    (at your option) any later version.
  13. ##
  14. ##    This program is distributed in the hope that it will be useful,
  15. ##    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16. ##    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17. ##    GNU General Public License for more details.
  18. ##
  19. ##    You should have received a copy of the GNU General Public License
  20. ##    along with this program; if not, write to the Free Software
  21. ##    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  22. ## -A copy of the GNU General Public License is distributed with exim itself
  23.  
  24. ## -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
  25. ## If you haven't worked with exim filters before, read
  26. ## the install notes at the end of this file.
  27. ## The install notes are not a replacement for the exim documentation
  28. ## -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
  29.  
  30. ## -----------------------------------------------------------------------
  31. # Only run any of this stuff on the first pass through the
  32. # filter - this is an optomisation for messages that get
  33. # queued and have several delivery attempts
  34. #
  35. # we express this in reverse so we can just bail out
  36. # on inappropriate messages
  37. #
  38. if not first_delivery
  39. then
  40.   finish
  41. endif
  42. ## -----------------------------------------------------------------------
  43. # Check for MS buffer overruns as per BUGTRAQ.
  44. # http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61
  45. # This could happen in error messages, hence its placing
  46. # here...
  47. # We substract the first n characters of the date header
  48. # and test if its the same as the date header... which
  49. # is a lousy way of checking if the date is longer than
  50. # n chars long
  51. if ${length_80:$header_date:} is not $header_date:
  52. then
  53.   fail text "This message has been rejected because it has\n\
  54.              an overlength date field which can be used\n\
  55.              to subvert Microsoft mail programs\n\
  56.             The following URL has further information\n\
  57.              http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61"
  58.   seen finish
  59. endif
  60.  
  61. ## -----------------------------------------------------------------------
  62. # These messages are now being sent with a <> envelope sender, but
  63. # blocking all error messages that pattern match prevents
  64. # bounces getting back.... so we fudge it somewhat and check for known
  65. # header signatures.  Other bounces are allowed through.
  66. if $header_from: contains "@sexyfun.net"
  67. then
  68.   fail text "This message has been rejected since it has\n\
  69.              the signature of a known virus in the header."
  70.   seen finish
  71. endif
  72. if error_message and $header_from: contains "Mailer-Daemon@"
  73. then
  74.   # looks like a real error message - just ignore it
  75.   finish
  76. endif
  77.  
  78. ## -----------------------------------------------------------------------
  79. # Look for single part MIME messages with suspicious name extensions
  80. # Check Content-Type header using quoted filename [content_type_quoted_fn_match]
  81. if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")"
  82. then
  83.   fail text "This message has been rejected because it has\n\
  84.              potentially executable content $1\n\
  85.              This form of attachment has been used by\n\
  86.             recent viruses or other malware.\n\
  87.              If you meant to send this file then please\n\
  88.              package it up as a zip file and resend it."
  89.   seen finish
  90. endif
  91. # same again using unquoted filename [content_type_unquoted_fn_match]
  92. if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))"
  93. then
  94.   fail text "This message has been rejected because it has\n\
  95.              potentially executable content $1\n\
  96.              This form of attachment has been used by\n\
  97.             recent viruses or other malware.\n\
  98.              If you meant to send this file then please\n\
  99.              package it up as a zip file and resend it."
  100.   seen finish
  101. endif
  102.  
  103.  
  104. ## -----------------------------------------------------------------------
  105. # Attempt to catch embedded VBS attachments
  106. # in emails.   These were used as the basis for
  107. # the ILOVEYOU virus and its variants - many many varients
  108. # Quoted filename - [body_quoted_fn_match]
  109. if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")[\\\\s;]"
  110. then
  111.   fail text "This message has been rejected because it has\n\
  112.              a potentially executable attachment $1\n\
  113.              This form of attachment has been used by\n\
  114.             recent viruses or other malware.\n\
  115.              If you meant to send this file then please\n\
  116.              package it up as a zip file and resend it."
  117.   seen finish
  118. endif
  119. # same again using unquoted filename [body_unquoted_fn_match]
  120. if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))[\\\\s;]"
  121. then
  122.   fail text "This message has been rejected because it has\n\
  123.              a potentially executable attachment $1\n\
  124.              This form of attachment has been used by\n\
  125.             recent viruses or other malware.\n\
  126.              If you meant to send this file then please\n\
  127.              package it up as a zip file and resend it."
  128.   seen finish
  129. endif
  130. ## -----------------------------------------------------------------------
  131.  
  132.  
  133. #### Version history
  134. #
  135. # 0.01 5 May 2000
  136. #       Initial release
  137. # 0.02 8 May 2000
  138. #       Widened list of content-types accepted, added WSF extension
  139. # 0.03 8 May 2000
  140. #       Embedded the install notes in for those that don't do manuals
  141. # 0.04 9 May 2000
  142. #       Check global content-type header.  Efficiency mods to REs
  143. # 0.05 9 May 2000
  144. #       More minor efficiency mods, doc changes
  145. # 0.06 20 June 2000
  146. #       Added extension handling - thx to Douglas Gray Stephens & Jeff Carnahan
  147. # 0.07 19 July 2000
  148. #       Latest MS Outhouse bug catching
  149. # 0.08 19 July 2000
  150. #       Changed trigger length to 80 chars, fixed some spelling
  151. # 0.09 29 September 2000
  152. #       More extensions... its getting so we should just allow 2 or 3 through
  153. # 0.10 18 January 2001
  154. #       Removed exclusion for error messages - this is a little nasty
  155. #       since it has other side effects, hence we do still exclude
  156. #       on unix like error messages
  157. # 0.11 20 March, 2001
  158. #       Added CMD extension, tidied docs slightly, added RCS tag
  159. #       ** Missed changing version number at top of file :-(
  160. # 0.12 10 May, 2001
  161. #       Added HTA extension
  162. # 0.13 22 May, 2001
  163. #       Reformatted regexps and code to build them so that they are
  164. #       shorter than the limits on pre exim 3.20 filters.  This will
  165. #       make them significantly less efficient, but I am getting so
  166. #       many queries about this that requiring 3.2x appears unsupportable.
  167. # 0.14 15 August,2001
  168. #       Added .lnk extension - most requested item :-)
  169. #       Reformatted everything so its now built from a set of short
  170. #       library files, cutting down on manual duplication.
  171. #       Changed \w in filename detection to . - dodges locale problems
  172. #       Explicit application of GPL after queries on license status
  173. # 0.15 17 August, 2001
  174. #       Changed the . in filename detect to \S (stops it going mad)
  175. # 0.16 19 September, 2001
  176. #       Pile of new extensions including the eml in current use
  177. # 0.17 19 September, 2001
  178. #       Syntax fix
  179. #
  180. #### Install Notes
  181. #
  182. # Exim filters run the exim filter language - a very primitive
  183. # scripting language - in place of a user .forward file, or on
  184. # a per system basis (on all messages passing through).
  185. # The filtering capability is documented in the main set of manuals
  186. # a copy of which can be found on the exim web site
  187. #       http://www.exim.org/
  188. #
  189. # To install, copy the filter file (with appropriate permissions)
  190. # to /etc/exim/system_filter.exim and add to your exim config file
  191. # [location is installation depedant - typicaly /etc/exim/config ]
  192. # in the first section the line:-
  193. #       message_filter = /etc/exim/system_filter.exim
  194. #       message_body_visible = 5000
  195. #
  196. # You may also want to set the message_filter_user & message_filter_group
  197. # options, but they default to the standard exim user and so can
  198. # be left untouched.  The other message_filter_* options are only
  199. # needed if you modify this to do other functions such as deliveries.
  200. # The main exim documentation is quite thorough and so I see no need
  201. # to expand it here...
  202. #
  203. # Any message that matches the filter will then be bounced.
  204. # If you wish you can change the error message by editing it
  205. # in the section above - however be careful you don't break it.
  206. #
  207. # After install exim should be restarted - a kill -HUP to the
  208. # daemon will do this.
  209. #
  210. #### LIMITATIONS
  211. #
  212. # This filter tries to parse MIME with a regexp... that doesn't
  213. # work too well.  It will also only see the amount of the body
  214. # specified in message_body_visible
  215. #
  216. #### BASIS
  217. #
  218. # The regexp that is used to pickup MIME/uuencoded body parts with
  219. # quoted filenames is replicated below (in perl format).  
  220. # You need to remember that exim converts newlines to spaces in
  221. # the message_body variable.
  222. #
  223. #         (?:Content-                                   # start of content header
  224. #         (?:Type: (?>\s*)                              # rest of c/t header
  225. #           [\w-]+/[\w-]+                               # content-type (any)
  226. #           |Disposition: (?>\s*)                       # content-disposition hdr
  227. #           attachment)                                 # content-disposition
  228. #         ;(?>\s*)                                      # ; space or newline
  229. #         (?:file)?name=                                # filename=/name=
  230. #         |begin (?>\s+) [0-7]{3,4} (?>\s+))            # begin octal-mode
  231. #         (\"[^\"]+\.                                   # quoted filename.
  232. #               (?:ad[ep]                               # list of extns
  233. #               |ba[st]
  234. #               |chm
  235. #               |cmd
  236. #               |com
  237. #               |cpl
  238. #               |crt
  239. #               |eml
  240. #               |exe
  241. #               |hlp
  242. #               |hta
  243. #               |in[fs]
  244. #               |isp
  245. #               |jse?
  246. #               |lnk
  247. #               |md[be]
  248. #               |ms[cipt]
  249. #               |pcd
  250. #               |pif
  251. #               |reg
  252. #               |scr
  253. #               |sct
  254. #               |shs
  255. #               |url
  256. #               |vb[se]
  257. #               |ws[fhc])
  258. #         \"                                            # end quote
  259. #         )                                             # end of filename capture
  260. #         [\s;]                                         # trailing ;/space/newline
  261.  
  262. #
  263. #
  264. ### [End]
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top